Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OAuth Authorization Code + PKCE grant flow for public clients #30329

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

ThisIsMissEm
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm commented May 16, 2024

This is a heavy work in progress, but from what I can tell so far, it is fully backwards compatible with what we currently have in Mastodon 4.2.x and main. This will of course need a TONNE of test coverage and integration tests, which I'm still to have time to write.

This gives us a much better way to solve #30316 and #24871, as majority of OAuth Applications being registered at the moment are likely from public clients, such as web clients like Phanpy, Pinafore, and Semaphore, and mobile clients such as Ivory, Mastodon's official mobile apps, etc.

This PR would also pair nicely with #27948, since we'd want public clients to be able to regularly refresh their access tokens. I might rolling that into this PR, and then have more comprehensive tests for everything.

We would probably want to extend the Apps API with support for software_id and software_version to help with grouping applications together, which would be an additional two columns on the oauth_applications table.

You do still need to use dynamic client registration since you need a client_id to interact with /oauth/authorize, but this paves the way for in the future accepting either client_id of IRIs to a public identifier document, or for IndieAuth or FedCM.

@ThisIsMissEm ThisIsMissEm marked this pull request as draft May 16, 2024 15:23
@ThisIsMissEm
Copy link
Contributor Author

If you want to test this out, you can use https://www.oauth.com/playground/authorization-code-with-pkce.html to generate a code_verifier, and a code_challenge — the code challenge is passed to /oauth/authorize via query parameter, along with the code_challenge_method of S256

e.g.,

http://localhost:3000/oauth/authorize
  ?client_id=bRiJth_XPQk3U6yQVI4qKEoN5ipbsCkH8KjqbZ7wpxY
  &redirect_uri=urn:ietf:wg:oauth:2.0:oob
  &response_type=code
  &code_challenge=TtzRZS5lMynQ-pmR29ecscSwPFbMI_p8BtcZDyQLpo8
  &code_challenge_method=S256

The code for access token exchange then looks like:

POST http://localhost:3000/oauth/token

client_id=bRiJth_XPQk3U6yQVI4qKEoN5ipbsCkH8KjqbZ7wpxY
redirect_uri=urn:ietf:wg:oauth:2.0:oob
grant_type=authorization_code
code=<the generated code displayed to the user>
code_verifier=sVEmrFWkbAduJW1wtIiVO_an80lMfvCzmBhOoAgRRP8UvARm

Copy link
Contributor

This pull request has merge conflicts that must be resolved before it can be merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant